This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

clients have to different choice for log into the mobile application: application login and facebook login

have to protect all RESTful services on server side against unauthorized users

My responsibility is to develop RESTful services. I am very good at Application Servers, J2EE, JMS, JDBC, distributed transactions (XA) but I am not too good at security

I developed with Spring some STATELESS RESTful webservices. These services are not protected, so everybody can use them.

For example:

http://...../api/country/{user_id}

http://...../api/country/{user_id},{country_id}

…

Each of my webservices has a user_id input parameter because I need to identify which user made the server call. The result of webservices depend on the user. Of course, it is absolutely normal.

Now, I have to develop some new things because I have to protect these webservices against unauthorized users.

My idea is:

(*) I will create two new webservice like this:

applicationLogin(String username, String password)

and

facebookLogin(String accessToken)

http://...../api/login/{username}, {password}

http://...../api/login/{facebook accass token}

(*) I will have to protect my webservices against unauthorized users

The user logging process may look like this:
(1) user fill up the username and password fields on the his/her mobile device
(2) click on the application login button
(3) the mobile application makes a server call to http://...../api/login/{username}, {password} public service
(4) if username and password is correct I will generate a token (a long string with expiration date information) and I will put the username and the token string into the answer of HTTP header
(5) after it the all client have to send back to the server these two parameters (username and token) when they make webservice call.

On the server side I can read the username from the HTTP request so I can remove the user_id parameter from the signature of all webservices.

I am trying to implement this process in Spring. I think I need to use the PRE_AUTH_FILTER from Spring security module. But I do not know if my idea is good?